Date: Mon, 06 Jul 2015 09:34:24 +0200 From: Florian Weimer <fweimer@...hat.com> To: feld@...d.me CC: oss-security@...ts.openwall.com Subject: Re: node.js out of band write On 07/06/2015 01:51 AM, Mark Felder wrote: > Node has resolved a security vulnerability in their most recent release > but do not appear to have requested a CVE ID. > > http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/ > > Node v0.12.6 (Stable) > Sat, 04 Jul 2015 02:34:23 UTC - release > > This release of Node.js fixes a bug that triggers an out-of-band write > in V8's utf-8 decoder. This bug impacts all Buffer to String > conversions. This is an important security update as this bug can be > used to cause a denial of service attack. I have trouble reconciling this description with the fix in this commit: <https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6> Upstream v8 lacks this change. Is it required in Node.js because Node.js pokes at v8 internals in unsupported ways? -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ